#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Spear Phishing | Breaking Cybersecurity News | The Hacker News

Category — Spear Phishing
CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security Audits

CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security Audits

Jan 21, 2025 Malware / Cyber Threat
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of ongoing attempts by unknown threat actors to impersonate the cybersecurity agency by sending AnyDesk connection requests. The AnyDesk requests claim to be for conducting an audit to assess the "level of security," CERT-UA added, cautioning organizations to be on the lookout for such social engineering attempts that seek to exploit user trust. "It is important to note that CERT-UA may, under certain circumstances, use remote access software such as AnyDesk," CERT-UA said . "However, such actions are taken only after prior agreement with the owners of objects of cyber defense through officially approved communication channels." However, for this attack to succeed, it's necessary that the AnyDesk remote access software is installed and operational on the target's computer. It also requires the attacker to be in possession of the target's AnyDesk identifier , suggesting th...
Russian Star Blizzard Targets WhatsApp Accounts in New Spear-Phishing Campaign

Russian Star Blizzard Targets WhatsApp Accounts in New Spear-Phishing Campaign

Jan 16, 2025 Spear Phishing / Threat Intelligence
The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. "Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia," the Microsoft Threat Intelligence team said in a report  shared with The Hacker News. Star Blizzard (formerly SEABORGIUM) is a Russia-linked threat activity cluster known for its credential harvesting campaigns. Active since at least 2012, it's also tracked under the monikers Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. Previously observed attack ...
4 Reasons Your SaaS Attack Surface Can No Longer be Ignored

4 Reasons Your SaaS Attack Surface Can No Longer be Ignored

Jan 14, 2025SaaS Security / Generative AI
What do identity risks, data security risks and third-party risks all have in common? They are all made much worse by SaaS sprawl. Every new SaaS account adds a new identity to secure, a new place where sensitive data can end up, and a new source of third party risk. Learn how you can protect this sprawling attack surface in 2025. What do identity risks, data security risks and third-party risks all have in common? They are all made much worse by SaaS sprawl. Every new SaaS account adds a new identity to secure, a new place where sensitive data can end up, and a new source of third-party risk. And, this growing attack surface, much of which is unknown or unmanaged in most orgs, has become an attractive target for attackers. So, why should you prioritize securing your SaaS attack surface in 2025? Here are 4 reasons. ‍ 1. Modern work runs on SaaS. When's the last time you used something other than a cloud-based app to do your work? Can't remember? You're not alone.  Outside of ...
APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP

APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP

Dec 18, 2024 Cyber Espionage / Malware
The Russia-linked APT29 threat actor has been observed repurposing a legitimate red teaming attack methodology as part of cyber attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files. The activity, which has targeted governments and armed forces, think tanks, academic researchers, and Ukrainian entities, entails adopting a "rogue RDP" technique that was previously documented by Black Hills Information Security in 2022, Trend Micro said in a report. "A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation," researchers Feike Hacquebord and Stephen Hilt said . The cybersecurity company is tracking the threat group under its own moniker Earth Koshchei, stating preparations for the campaign began as early as August 7-8, 2024. The RDP campaigns were also spotlighted by the Computer Emergency Response Team of Ukraine (CERT-UA), Microsoft, and Amazon ...
cyber security

2024: A Year of Identity Attacks | Get the New eBook

websitePush SecurityIdentity Security
Prepare to defend against identity attacks in 2025 by looking back at identity-based breaches in 2024.
Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware

Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware

Dec 06, 2024 Malware / Threat Intelligence
The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop. The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 that's designed to drop the Visual Basic Script malware, Recorded Future's Insikt Group said in a new analysis. The cybersecurity company is tracking the threat actor under the name BlueAlpha, which is also known as Aqua Blizzard, Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. The group, believed to be active since 2014, is affiliated with Russia's Federal Security Service (FSB). "BlueAlpha has recently started using Cloudflare Tunnels to conceal staging infrastructure used by GammaDrop , an increasingly popular technique used by cybercriminal threat groups to deploy malware," Insikt Group noted . "BlueAl...
ANEL and NOOPDOOR Backdoors Weaponized in New MirrorFace Campaign Against Japan

ANEL and NOOPDOOR Backdoors Weaponized in New MirrorFace Campaign Against Japan

Dec 05, 2024 Cyber Espionage / Malware
The China-linked threat actor known as MirrorFace has been attributed to a new spear-phishing campaign mainly targeting individuals and organizations in Japan since June 2024. The aim of the campaign is to deliver backdoors known as NOOPDOOR (aka HiddenFace) and ANEL (aka UPPERCUT), Trend Micro said in a technical analysis. "An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then," security researcher Hara Hiroaki said . It's worth noting that MirrorFace's use of ANEL was also documented by ESET last month as part of a cyber attack targeting a diplomatic organization in the European Union using lures related to the World Expo. MirrorFace, also known as Earth Kasha, is the name given to a Chinese threat actor that's known for its persistent targeting of Japanese entities. It's assessed to be a sub-cluster within APT10. ...
Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

Oct 16, 2024 Cyber Attack / Banking Trojan
A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails. "The spear-phishing campaign's impact has targeted various industries, with manufacturing companies, retail firms, and government agencies being the most affected," Trend Micro said in a new analysis. "The malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware." The cybersecurity company is tracking the threat activity cluster under the name Water Makara. It's worth pointing out that Google's Threat Analysis Group (TAG) has assigned the moniker PINEAPPLE to a similar intrusion set that delivers the same malware to Brazilian users. Both these campaigns share a point of commonality in that they commence with phishing messages that impersonate official entities su...
Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting

Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting

May 31, 2024 Cyber Attack / Credential Harvesting
The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with Russia's strategic military intelligence unit, the GRU. The hacking crew operates with a high level of stealth and sophistication, often demonstrating their adaptability through deep preparedness and custom tooling, and relying on legitimate internet services (LIS) and living off-the-land binaries (LOLBins) to conceal their operations within regular network traffic. "From April to December 2023, BlueDelta deployed Headlace malware in three distinct phases using geofencing techniques to target networks throughout Europe with a heavy focus on Ukraine," Recorded Future's Insikt ...
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

Apr 18, 2024 Cyber Attack / Malware
The infamous cybercrime syndicate known as FIN7 has been linked to a spear-phishing campaign targeting the U.S. automotive industry to deliver a known backdoor called Carbanak (aka Anunak). "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights," the BlackBerry research and intelligence team  said  in a new write-up. "They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries ( LOLBAS )." FIN7, also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria Tempest, is a well-known  financially motivated e-crime group  that has a track record of striking a wide range of industry verticals to deliver malware capable of stealing information from point-of-sale (PoS) systems since 2012. In recent years, the threat actor has  transitioned  to  conducting ransomwar...
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

Mar 18, 2024 Cyber Warfare / Malware
The Russia-linked threat actor known as  APT28  has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. "The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force  said  in a report published last week. The tech company is tracking the activity under the moniker  ITG05 , which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028. The disclosure comes more than three months after the adversary was spotted using decoys related to...
Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware

Dec 22, 2023 Social Engineering / Malware Analysis
A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the  Nim programming language . "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation," Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara  said . Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it. This has been demonstrated in the case of loaders such as  NimzaLoader ,  Nimbda ,  IceXLoader , as well as ransomware families tracked under the names  Dark Power  and  Kanti . The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when...
N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

N. Korea's Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks

Dec 08, 2023 Cyber Espionage / Cryptocurrency
The North Korean threat actor known as  Kimsuky  has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC)  said  in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable o...
Microsoft Warns of COLDRIVER's Evolving Evasion and Credential-Stealing Tactics

Microsoft Warns of COLDRIVER's Evolving Evasion and Credential-Stealing Tactics

Dec 07, 2023 Threat Intelligence / Cyber Espionage
The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities. The Microsoft Threat Intelligence team is tracking under the cluster as  Star Blizzard  (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, and TA446. The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond  said . Star Blizzard , linked to Russia's Federal Security Service (FSB), has a  track record  of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017. In August 2023...
Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

Iran's MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign

Nov 02, 2023 Cyber Attack / Malware
The Iranian nation-state actor known as  MuddyWater  has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called  Advanced Monitoring Agent . Cybersecurity firm Deep Instinct, which disclosed details of the attacks,  said  the campaign "exhibits updated TTPs to previously reported MuddyWater activity," which has, in the past, used similar attack chains to distribute other remote access tools like  ScreenConnect, RemoteUtilities, Syncro , and  SimpleHelp . While the latest development marks the first time MuddyWater has been observed using N-able's remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor. The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter). The state-sponsore...
YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

Oct 26, 2023 Endpoint Protection / Malware
A relatively new threat actor known as  YoroTrooper  is likely made up of operators originating from Kazakhstan. The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government's Anti-Corruption Agency. "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region," security researchers Asheer Malhotra and Vitor Ventura  said . First documented by the cybersecurity company in March 2023, the adversary is  known to be active  since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name  SturgeonPhisher . YoroTrooper's at...
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

Iranian APT Group OilRig Using New Menorah Malware for Covert Operations

Sep 30, 2023 Cyber Espionage / Malware
Sophisticated cyber actors backed by Iran known as  OilRig  have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy  said  in a Friday report. The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia. Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten,  OilRig  is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks. The revelation builds on  recent findings  from NSFOCUS, which uncovered an OilRig phishing atta...
North Korean UNC2970 Hackers Expands Operations with New Malware Families

North Korean UNC2970 Hackers Expands Operations with New Malware Families

Mar 10, 2023 Cyber Attack / Malware
A North Korean espionage group tracked as  UNC2970  has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a  long-running   operation   dubbed  " Dream Job " that employs job recruitment lures in email messages to trigger the infection sequence. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit ), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity, as  documented  by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a  backdoor  called AIRDRY.V2 under the pretext of sharing a skills assessment test. "UNC2970 has a concerted effort tow...
Expert Insights / Articles Videos
Cybersecurity Resources